Q2. Which of the following is not a valid value for the Event Count Key field? A. Attacker address B. Victim address C. Attacker and victim addresses D. Attacker address and port E. Attacker address and victim port

Answer: D

Q3. To create a signature that generates an alert based on multiple component signatures, which of the following signature engines should you use? A. AIC HTTP B. Meta C. Normalizer D. Multi String E. Service General

Answer: B

Q4. Which of the following is considered tuning a signature? A. Enabling a signature B. Disabling a signature C. Changing the Alert Severity level D. Changing the signature’s engine-specific parameters E. Assigning a new signature action

Answer: D

Q5. Which of the following is not considered tuning a signature? A. Changing the signature’s engine-specific parameters B. Changing the signature’s event counter parameters C. Assigning a new severity level D. Changing the signature’s alert frequency parameters

Q7. Which of the following is true about meta signatures? A. The meta signature can use only component signatures from the same signature engine. B. The order of the component signatures can be specified. C. The order of the component signatures cannot be specified. D. You can configure a reset interval for each component signature.

Answer: The Signature Fidelity Rating indicates the likelihood that a signature will detect actual attack traffic without the sensor having specific knowledge about the target system’s operating system and applications.

Q13. What does the Alert Severity level indicate?

Answer: The Alert Severity level indicates the relative seriousness of the traffic that the signature is designed to detect.

Q14. What values can you assign to the Event Count Key field?

Answer: You can assign the following values to the Event Count Key field: attacker address, attacker address and victim port, attacker and victim addresses, attacker and victim addresses and ports, or victim address.

Q15. What does the Event Count Key specify?

Answer: The Event Count Key specifies which IP address and or ports are used when determining unique instances of a signature’s traffic.

Q17. When configuring a signature with the Meta signature engine, which engine-specific parameters do you need to specify?

Answer: When defining a signature with the Meta signature engine, you need to define the signatures that comprise the meta signature, the number of unique victims needed to trigger the signature, the IP addresses or ports used to determine unique signature instances, and potentially whether the order of the component signatures is important.

Q18. Explain Application Policy Enforcement and identify which signature engines support this capability.

Answer: Application Policy Enforcement refers to the capability to provide deep-packet inspection for Layer 4 through Layer 7 for specific protocols, enabling a much more granular verification of your defined security policy. This functionality is provided by the AIC HTTP and AIC FTP signature engines.

Q19. What are some of the checks provided by the AIC HTTP signature engine?

Q21. Signature tuning does not usually involve changing which signature parameters?

Answer: Signature tuning does not usually involve enabling or disabling a signature, changing the alert severity, or assigning a signature action.

Q22. What are the four high-level steps involved in creating a custom signature?

Answer: When creating a custom signature, you need to perform the following tasks: choose a signature engine, verify existing functionality, define the signature parameters, and test the new signature’s effectiveness.

Q23. What are the factors that you need to consider when choosing a signature engine for a new signature?

Answer: When choosing a signature engine for a new signature, you need to consider the following factors about the traffic being detected: network protocol, target address, target port, attack type, inspection criteria.

Q24. What is the difference between adding a new signature and creating a new signature by using the cloning functionality?

Answer: Using the cloning functionality enables you to initially populate a new signature with the values for an existing signature. This can save time when you are creating a new signature based on an existing signature.

Q25. What regex matches the following patterns: ABXDF, ABXXDF, and ABD?

Answer: A regex that detects ABXDF, ABXXF, and ABD is AB[X]*D[F]*. The asterisk (*) enables those patterns to occur 0 or more times. With the patterns specified, you could have also specified [D]+ to allow one or more Ds, since it is not clear from the patterns if more than one D is allowed.